v1.4.2 always crashes when message contains ARC-Seal headers.

[ksuuk]

Hi,

OpenDmarc 1.3.2 versus 1.4.2 issue, both compiled with same options: ./configure --with-sql-backend --with-spf -with-spf2-include=%{_prefix}/include/spf2 --with-spf2-lib=%{_libdir}/libspf2.so

Conf is also same:

AutoRestart true
IgnoreAuthenticatedClients true
IgnoreHosts /etc/opendmarc/ignore.hosts
PidFile /var/run/opendmarc/opendmarc.pid
RejectFailures false
RequiredHeaders true
Socket local:/var/run/opendmarc/opendmarc.sock
SPFSelfValidate true
Syslog true
UMask 002
UserID opendmarc:opendmarc
AuthservID DMARC
TrustedAuthservIDs HOSTNAME
AutoRestartRate 10/1M

opendmarc: OpenDMARC Filter v1.4.2
    SMFI_VERSION 0x1000001
    libmilter version 1.0.1
    Active code options:
        WITH_SPF
        WITH_SPF2

Jun  9 23:28:36 servu opendmarc[55548]: A3DEC7F9B5 ignoring Authentication-Results at 0 from DKIM
Jun  9 23:28:36 servu opendmarc[55548]: A3DEC7F9B5 ignoring Authentication-Results at 1 from SPF
Jun  9 23:28:36 servu opendmarc[55548]: A3DEC7F9B5 ignoring Authentication-Results at 3 from ARC
Jun  9 23:28:36 servu opendmarc[55548]: A3DEC7F9B5: SPF(mailfrom): domain1.com pass
Jun  9 23:28:36 servu postfix/cleanup[55537]: warning: milter unix:/var/run/opendmarc/opendmarc.sock: can't read SMFIC_BODYEOB reply packet header: Success
Jun  9 23:28:36 servu opendmarc[55364]: terminated with signal 6, restarting
Jun  9 23:28:36 servu opendmarc[55574]: OpenDMARC Filter v1.4.2 starting (args: -c /etc/opendmarc.conf)
Jun  9 23:28:36 servu opendmarc[55574]: additional trusted authentication services: servu.domain2.com

Patch https://github.com/trusteddomainproject/OpenDMARC/issues/183 doesn't help.

opendmarc: OpenDMARC Filter v1.3.2
    SMFI_VERSION 0x1000001
    libmilter version 1.0.1
    Active code options:
        WITH_SPF
        WITH_SPF2

Jun  9 23:36:45 servu opendmarc[2173]: A67738229B ignoring Authentication-Results at 0 from DKIM
Jun  9 23:36:45 servu opendmarc[2173]: A67738229B ignoring Authentication-Results at 1 from SPF
Jun  9 23:36:45 servu opendmarc[2173]: A67738229B ignoring Authentication-Results at 3 from ARC
Jun  9 23:36:45 servu opendmarc[2173]: A67738229B: SPF(mailfrom): test@domain1.com pass

BTW, is this bug or feature, that v1.4.2 SPF(mailfrom) shows only sender domain, not the full sender address?

[Swallowtail23]

----- Message from ksuuk @.> ---------     Date: Thu, 09 Jun 2022 14:16:16 -0700     From: ksuuk @.> Reply-To: trusteddomainproject/OpenDMARC
@.> Subject: [trusteddomainproject/OpenDMARC] v1.4.2 always crashes when
message contains ARC-Seal headers. (Issue #222)       To: trusteddomainproject/OpenDMARC @.>       Cc: Subscribed @.***>

 

Hi,

OpenDmarc 1.3.2 versus 1.4.2 issue, both compiled with same options: ./configure --with-sql-backend --with-spf
-with-spf2-include=%{_prefix}/include/spf2
--with-spf2-lib=%{_libdir}/libspf2.so

Conf is also same: AutoRestart true IgnoreAuthenticatedClients true IgnoreHosts
/etc/opendmarc/ignore.hosts PidFile /var/run/opendmarc/opendmarc.pid
RejectFailures false RequiredHeaders true Socket
local:/var/run/opendmarc/opendmarc.sock SPFSelfValidate true Syslog
true UMask 002 UserID opendmarc:opendmarc AuthservID DMARC
TrustedAuthservIDs rull.metroprint.ee AutoRestartRate 10/1M
opendmarc: OpenDMARC Filter v1.4.2 SMFI_VERSION 0x1000001
libmilter version 1.0.1 Active code options: WITH_SPF WITH_SPF2
Jun 9 23:28:36 servu opendmarc[55548]: A3DEC7F9B5 ignoring
Authentication-Results at 0 from DKIM Jun 9 23:28:36 servu
opendmarc[55548]: A3DEC7F9B5 ignoring Authentication-Results at 1
from SPF Jun 9 23:28:36 servu opendmarc[55548]: A3DEC7F9B5 ignoring
Authentication-Results at 3 from ARC Jun 9 23:28:36 servu
opendmarc[55548]: A3DEC7F9B5: SPF(mailfrom): domain1.com pass Jun 9
23:28:36 servu postfix/cleanup[55537]: warning: milter
unix:/var/run/opendmarc/opendmarc.sock: can't read SMFIC_BODYEOB
reply packet header: Success Jun 9 23:28:36 servu opendmarc[55364]:
terminated with signal 6, restarting Jun 9 23:28:36 servu
opendmarc[55574]: OpenDMARC Filter v1.4.2 starting (args: -c
/etc/opendmarc.conf) Jun 9 23:28:36 servu opendmarc[55574]:
additional trusted authentication services: servu.domain2.com Patch #183[1] doesn't help. opendmarc: OpenDMARC Filter v1.3.2 SMFI_VERSION 0x1000001
libmilter version 1.0.1 Active code options: WITH_SPF WITH_SPF2
Jun 9 23:36:45 servu opendmarc[2173]: A67738229B ignoring
Authentication-Results at 0 from DKIM Jun 9 23:36:45 servu
opendmarc[2173]: A67738229B ignoring Authentication-Results at 1
from SPF Jun 9 23:36:45 servu opendmarc[2173]: A67738229B ignoring
Authentication-Results at 3 from ARC Jun 9 23:36:45 servu
opendmarc[2173]: A67738229B: SPF(mailfrom): @.*** pass BTW, is this bug or feature, that v1.4.2 SPF(mailfrom) shows only
sender domain, not the full sender address?

— Reply to this email directly, view it on GitHub[2], or unsubscribe[3]. You are receiving this because you are subscribed to this
thread.Message ID:
@.***>

----- End message from ksuuk @.***> -----

On your question on bug or feature, SPF only validates the domain... 

RFC7489 3.1 on SPF: "while [SPF] can authenticate either the domain that appears in the    RFC5321.MailFrom (MAIL FROM) portion of [SMTP] or the RFC5321.EHLO/    HELO domain, or both"

Links:

[1] https://github.com/trusteddomainproject/OpenDMARC/issues/183 [2] https://github.com/trusteddomainproject/OpenDMARC/issues/222 [3]
https://github.com/notifications/unsubscribe-auth/AB6VM4DOVFFZGFWBUD4GUU3VOJNKBANCNFSM5YLNMBEQ

---

Simon Wilson M: 0400 12 11 16

[jel6]

I think I'm seeing something similar, but only when the ARC header is malformed in a specific way. From maillog:

4LPgLN3XLBz4f6Wy9: ignoring invalid ARC-Authentication-Results header "i=1;#012#011smtpd-out;#012#011none"

That consistently preceded OpenDMARC entering a failure state. When the ARC header was malformed differently, it was correctly ignored by OpenDMARC, potentially thanks to the previous patch. This is happening with a manual build of 1.4.2:

opendmarc -V
opendmarc: OpenDMARC Filter v1.4.2
        SMFI_VERSION 0x1000001
        libmilter version 1.0.1
        Active code options:
                WITH_SPF
                WITH_SPF2

[sfsumn]

We continue to run version 1.3.2-1 on RHEL 7 (EPEL 7) since all of the below versions have crashed for various reasons, the latest of which has to do with the parsing of the ARC-Seal: header:

opendmarc Version 1.4.1.1 Release 1.el7 (CRASHES, adds patch for rhbz#1972292) libopendmarc Version 1.4.1.1 Release 1.el7 (CRASHES, adds patch for rhbz#1972292)

opendmarc Version 1.4.1.1 Release 2.el7 (CRASHES, adds patch for rhbz#1974707) libopendmarc Version 1.4.1.1 Release 2.el7 (CRASHES, adds patch for rhbz#1974707)

opendmarc Version 1.4.1.1 Release 3.el7 (CRASHES, adds patch for rhbz#1915468) libopendmarc Version 1.4.1.1 Release 3.el7 (CRASHES, adds patch for rhbz#1915468)

Version 1.4.2 is not yet available via the EPEL 7 repository, so we're still stuck at version 1.3.2-1 until this is fixed.

[sfsumn]

I have pinpointed where our opendmarc (1.4.1.1-3.el7) is crashing while running it in the foreground and feeding our MTA an email message with the malformed header "ARC-Seal: none":

opendmarc: opendmarc-arcseal.c:98: opendmarc_arcseal_strip_whitespace: Assertion `string != ((void *)0)' failed. Aborted

It appears, perhaps, that the following commit may well have fixed this problem (in 1.4.2?) by checking for a null string prior to calling opendmarc_arcseal_strip_whitespace():

https://github.com/trusteddomainproject/OpenDMARC/commit/92c18757c85c95a77d0d0305ce80ac788e9185ca

So it would appear that we will have to wait until EPEL 7 carries opendmarc 1.4.2 -- can anyone confirm this? This particular issue's subject implies that we may still have issues with ARC-Seal headers even in 1.4.2.

Is there perhaps some way to disable all ARC header processing in the configuration file? If not, should there be?

[abokth]

Yes, 1.4.2 is also not stable, see https://github.com/trusteddomainproject/OpenDMARC/issues/183 for some details.

[fbett]

213, #231